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Abstract — To assess whether the management of 
information security and the risks associated with its use, 
through computer networks, at the Peninsula State 
University of Santa Elena, is effective, it is proposed to 
implement a model that establishes the goals to achieve to 
advance through the different levels that make up the 
rating scale. 

To evaluate the management of information security and 
the risks associated with its use, it is necessary to have a 
maturity model that not only allows evaluating the 
processes involved in the management of information 
security, but also those associated with the management 
of the risks linked to the processing of information in all 
its phases, since an adequate information security plan 
depends on it. 

Based on the aforementioned, the objective of this paper 
is to propose a model for the management of information 
security and the risks associated with its use, in computer 
networks. 
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I. INTRODUCTION 

The information systems that in educational institutions 
are manipulated, sometimes, are directed towards the 
mission of the organization which usually have a hostile 
environment, that is why the security of information is a 
discipline that integrates a set of policies, processes, 
procedures, organizational stmctures and software and 
hardware functions to help protect the confidentiality, 
integrity, availability and traceability of resources 
managed by IS in organizations (Achiary, 2005). 


• Confidentiality: it is guaranteed that the 
information is accessible only by authorized 
persons. 

• Integrity: safeguard the accuracy and completeness 
of the information and processing methods. 

• Availability: it is guaranteed that authorized users 
have access to the information and resources 
related to it, whenever they require it. 

• Traceability: make the IS auditable through a 
history that allows knowing the location and 
trajectory of a resource. 

From these fundamental objectives of safety derive others 
such as: 

• Authenticity: seeks to ensure the validity of 
information in time, fonn and distribution, 
likewise, the origin of the information is 
guaranteed, validating the issuer to avoid identity 
theft. 

• Non-repudiation: avoid that an entity that has sent 
or received information alleges to third parties that 
it did not do so. 

hi order to regulate aspects related to security in 
information systems (IS), standards have been developed 
that propose a set of policies and good practices, which 
help to strengthen the security of information. Computer 
security is commonly associated with a small group of 
technical measures such as antivirus and firewalls, the 
controls to be established are many and varied 
(Montesino, 2009). 

Computer security as a concept has been evolving over 
time. Initially it was a discipline dominated by the elite of 
professionals specialized in the subject, but since the 
beginning of this century a more encompassing vision of 
information security has been proposed, which formally 
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links elements such as technology, the individual and the 
organization, emphasizing in the study of these and their 
relationships, to rethink computer security beyond the 
traditional technological experience (Cano, 2005). 
According to Solms (2006), computer security has gone 
through history through four stages. The first stage was 
characterized by the technical aspect, the second was 
related to the management approach, where aspects such 
as policies and processes began to be considered. The 
third stage became standardized and documents of good 
practices and certifications began to appear. 

Topics such as computer security culture, evaluation and 
monitoring began to be important. The fourth stage has 
been driven by regulations, where computer security has 
become a key aspect for the managers of the 
organizations and therefore is addressed from the first 
level of management. 

The process of information security management is 
described in the ISO / IEC 27001 standard, which is an 
internationally certifiable standard. This standard offers a 
model for the establishment, implementation, operation, 
monitoring, review, maintenance and improvement of an 
information security management system (ISMS) (ISO / 
IEC, 2005). 

The standard proposes a process approach where 
information security is not a state that is reached in a 
certain moment of time and remains unchanged, but is a 
continuous process that needs to be managed. Several 
actions are proposed that form a closed cycle for the 
continuous improvement of the system. 

The ISM3 consortium, made up of several companies and 
organizations, has developed the Maturity Model of 
Information Security Management (ISM3). This model 
aims to extend the quality principles established in ISO 
9001 to an ISMS. Instead of being oriented to controls, it 
focuses on computer security processes that may be 
common to all organizations (Aceituno, 2007). 

Five basic configurations for an ISMS are described, 
equivalent to levels of maturity, which allows 
organizations to scale up levels depending on their needs. 
There are three categories of management: strategic, 
tactical and operational, for which 45 processes are 
defined that must be considered. 

In ISM3 the processes related to computer security are 
described in detail, establishing objectives and metrics 
that allow establishing a quality system The practical and 
measurement approach, as well as the orientation towards 
the business objectives of the organization, is what 
differentiates this model from the rest of the related 
standards. 

II. MATERIALS AND METHODS 

In this research, an integrative analysis is carried out, 
considering all computer security controls proposed by 
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the main international guidelines and standards (ISO / 
IEC 27002 and NIST SP 800-53), implemented in the 
Peninsular State University of Santa Elena in Ecuador. 
For the management of information security and the risks 
associated with its use in computer networks, the model 
shown in Figure 1 is proposed. 



Fig. 1: Model for the management of information security 
and the risks associated with its use in computer 
networks. Source: self-made. 

The model is based on the following principles: 

1. Maximum automation: all automatable computer 
security controls must be considered. 

2. Integration: the management of computer security 
controls must be done from a centralized system that 
allows the monitoring and review of them. 

3. Synthesis: an adequate process of grouping and 
synthesis of the automatable controls must be carried 
out to manage a relatively small number of controls. 

4. Objective measurement: the effectiveness of the 
controls must be evaluated and measured by means of 
objective indicators obtained automatically from the 
data provided by the different IT security tools. 

5. Continuous improvement: the management of controls 
must be seen as a dynamic process consisting of several 
actions, which form a closed cycle for the continuous 
improvement of computer security controls. 

6. Generality: the model must be applicable to a wide 
variety of organizations. 

Based on the description of the principles of the model, 
which is proposed for the management of information 
security and the risks associated with its use in the 
computer networks of the Peninsula State University of 
Santa Elena, Ecuador, the automation for the automatable 
controls identified, defining the main computer security 
controls that must be automated for the protection of 
information security and the risks associated with their 
use through the computer networks of the Peninsula de 
Santa Elena State University, Ecuador. 
Automated computer security controls represent a 
grouping and synthesis of the automatable controls 
identified in the ISO / IEC 27002 and NIST SP 800-53 
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standards. Automation is applied to the actions of 
operation, monitoring and review of computer security 
automation controls for the protection of information 
security and the risks associated with their use through 
the computer networks of Santa Peninsula State 
University Elena, Ecuador. 

The central component of the model allows the 
integration of different IT security tools, the correlation of 
information and the generation of security reports in an 
automated way. Computer security controls are 
implemented and operated by different tools, but their 
monitoring is done centrally in the central component of 
the model. 

The central component of the model receives the 
information through the traces generated by the different 
systems, for which it is necessary to define connectors 
that allow interpreting the different formats of existing 
traces. The review of the controls is done through a group 
of computer security metrics, also defined as part of the 
model, which are calculated and reported in an automated 
way. 

The model developed for the management of information 
security and the risks associated with its use in computer 
networks of the Peninsula de Santa Elena State 
University, offers a comprehensive vision of the 
automation of computer security controls, considering all 
the automatable controls and defining the actions to be 
carried out automatically in each of the cases. 
The model also proposes an automation of the actions of 
operation, monitoring and review of computer security 
automation controls for the protection of information 
security and the risks associated with its use through 
computer networks, which is intended for Trace 
management and security event detection. This 
presupposes that a deep process of personalization and 
adaptation of the operation, monitoring and revision 
actions must be carried out to apply the proposed model, 
through the definition of connectors, policies, correlation 
rules and computer security reports. 

It is important to note that through the application of the 
model the operation, monitoring and review of a group of 
computer security controls is automated, which represents 
an important part of the process of managing computer 
security in its entirety. However, it should not be 
interpreted that the model solves all problems in an 
automated way. For an adequate management of 
information security, it is necessary to implement the rest 
of the controls proposed by the existing standards and 
regulations, which are not contemplated in this model. 
In addition, the model addresses the automation of the do 
and verify phases, so it is necessary to complete the 
management cycle even for automated controls. The 
automatically calculated indicators should be adequately 
reviewed by computer security specialists to take 
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corrective actions on the security controls implemented. 

III. RESULTS 

Through a survey applied to managers and specialists of 
the Santa Elena Peninsula State University, which aimed 
to evaluate the factors that contribute to increase the 
effectiveness of the controls and to reduce the complexity 
of the computer security management, the positive effect 
of automation and integrated management of controls, 
while recognizing the importance of other factors that are 
also key in the management of information security in 
computer networks. With respect to the use of some 
system of indicators to evaluate the effectiveness of 
computer security controls, 75% of the respondents 
answered affirmatively their use. 

It is also noted that the application of the model achieves 
maximum automation in the operation of the controls, and 
also automates the processes of monitoring and review 
thereof, which translates into greater effectiveness of 
computer security controls on the management of 
information security and the risks associated with its use 
in computer networks. 

IV. CONCLUSION 

After having assessed the controls proposed by the main 
international standards, it can be concluded that around 
40% of computer security controls are automatable. For 
the automated and integrated management of computer 
security controls, we propose the model for the 
management of information security and the risks 
associated with its use in computer networks at the 
Peninsula de Santa Elena State University, a model that 
has the following general characteristics: 

• Computer security controls are defined which 
represent a grouping and synthesis ofthe automatable 
controls identified. 

• Automation is applied to the actions of operation, 
monitoring and review of controls. 

• The correlation of information and the generation of 
security reports in an automated way is the central 
component of the model, allowing the integrated 
management of computer security controls. 

• The controls are reviewed through a group of 
computer security metrics, also defined as part ofthe 
model, which are calculated and reported 
automatically. 

The model developed offers a comprehensive vision of 
the automation of computer security controls, considering 
all the automatable controls and defining the actions to be 
carried out automatically in each case. 

The implementation of the model is carried out through 
the installation, configuration and personalization of 
existing IT security applications, as well as the 
complementation of them through small developments 
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that enable their adaptation to the proposed model. 
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